I want to setup a point to point tunnel. My /etc/network/interface looks like this:
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
address 127.0.0.1
netmask 255.0.0.0
auto eth0
iface eth0 inet manual
netmask 255.255.0.0
up ifconfig eth0 up
auto eth1
iface eth1 inet static
address 192.168.2.61
netmask 255.255.255.0
gateway 192.168.2.1
dns-nameservers 192.168.2.1 217.237.148.70
auto eth2
iface eth2 inet manual
up ifconfig eth2 up
auto tun0
iface tun0 inet static
address 192.168.99.129
pointopoint 192.168.99.129
netmask 255.255.255.252
mtu 8300
hw ether 00:00:00:00:00:00
tunctl_user sys
I restart the network:
# sudo /etc/init.d/networking restart
[ ok ] Restarting networking (via systemctl): networking.service.
… and I get:
# ifconfig
eth0 Link encap:Ethernet Hardware Adresse 00:e0:f4:18:ca:72
inet6-Adresse: fe80::2e0:f4ff:fe18:ca72/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX-Pakete:1534 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
TX-Pakete:777 Fehler:0 Verloren:0 Überläufe:0 Träger:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX-Bytes:138060 (138.0 KB) TX-Bytes:85779 (85.7 KB)
eth1 Link encap:Ethernet Hardware Adresse 00:e0:f4:18:ca:73
inet Adresse:192.168.2.61 Bcast:192.168.2.255 Maske:255.255.255.0
inet6-Adresse: 2003:57:e712:931c:2e0:f4ff:fe18:ca73/64 Gültigkeitsbereich:Global
inet6-Adresse: fe80::2e0:f4ff:fe18:ca73/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX-Pakete:3391 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
TX-Pakete:1123 Fehler:0 Verloren:0 Überläufe:0 Träger:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX-Bytes:499727 (499.7 KB) TX-Bytes:190601 (190.6 KB)
eth2 Link encap:Ethernet Hardware Adresse 00:e0:f4:18:ca:74
UP BROADCAST MULTICAST MTU:1500 Metrik:1
RX-Pakete:0 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
TX-Pakete:0 Fehler:0 Verloren:0 Überläufe:0 Träger:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX-Bytes:0 (0.0 B) TX-Bytes:0 (0.0 B)
lo Link encap:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:65536 Metrik:1
RX-Pakete:352 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
TX-Pakete:352 Fehler:0 Verloren:0 Überläufe:0 Träger:0
Kollisionen:0 Sendewarteschlangenlänge:1
RX-Bytes:27811 (27.8 KB) TX-Bytes:27811 (27.8 KB)
tun0 Link encap:Ethernet Hardware Adresse 42:12:97:b6:a8:2e
inet Adresse:192.168.99.129 Bcast:192.168.99.255 Maske:255.255.255.255
UP BROADCAST MULTICAST MTU:8300 Metrik:1
RX-Pakete:0 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
TX-Pakete:0 Fehler:0 Verloren:0 Überläufe:0 Träger:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX-Bytes:0 (0.0 B) TX-Bytes:0 (0.0 B)
I have the following questions:
tun0should be a point to point connection. The commandpointopoint 192.168.99.129seems to be ignored.- The hardware address should be
00:00:00:00:00:00because of the commandhw ether. This is also ignored.
What can I do?
答案1
I have comments and suggestions. The comments are:
1) `eth0` and `eth2` can perfectly live without ip4 address.
An ip4 address is not mandatory at all.
2) `eth2` seems to be dummy.
3) Virtual Ethernet is possible. Ethernet supports point-to-point.
For more information on virtual Ethernet I recommend sides like this or that. lo is a virtual However, a ssl/tls is not necessary for a tunnel
My suggestions are the following:
1) `eth0` and `eth2` are ok. I don’t see any reason for changes.
You don’t need to add an ip address.
2) The mask of `tun0` seems not to work. It could be that this is a bug or a feature.
I don’t know a workaround. Could you please crosscheck it?
3) You must setup also a route if you want to use a tunnel.
Please check with `route -n` if you have set it.
I expect a route to `192.168.99.XYZ`.
4) If you haven’t set up any route, you can do it in `interface` by adding this
`up iptables -t nat -A POSTROUTING -s 192.168.99.XYZ/255.255.255.252 -j MASQUERADE` and
`down iptables -t nat -A POSTROUTING -s 192.168.99.XYZ/255.255.255.252 -j MASQUERADE`
at the end of `tun0`. Replace `XYZ` with the ip address of server 2.
Maybe the mask at the ip addresses will work.
5) If you want to set a hardware address, you have to use the `-` instead of the `:`.
However, I doubt that `hwaddress ether 00-00-00-00-00-00` will work because it is an
invalid address. But, give it a try.
答案2
If your description is correct, you don't need a tunnel, you need to fix your configuration and possibly your routing. Let's sum this up:
Server 1:
eth0connected to some unknown ethernet segment A, without a valid IPv4 address, and a netmask of255.255.0.0that's useless because there's no valid IP4 address. It may receive broadcasts on the MAC level and IPv6 for its local link address, but neither sending nor receiving broadcasts, nor anything else IPv4 will work without a valid IPv4 address.eth1connected some ethernet segment B with192.168.2.0/24in this segment, a gateway at192.168.2.1and the option to route into some segment C with192.168.99.0/24
Server 2:
eth?conneced to segment C with192.168.99.0/24
Ping between server 1 and server 2 works, so ICMP packets must be correctly routed from segment B to segment C. Telnet and some unspecified application don't work, which means TCP packets are not correctly routed from segment B to segment C.
To establish a tunnel between server 1 and server 2, you'll need a connection between server 1 and server 2 that works realiably for TCP or UDP packets. Then you can "tunnel" packets directly over this connection. However, since you have a connection in the first place, a tunnel is not really necessary, you could just use this connection. Exception: Your router blocks TCP packets, but not UDP packets, then you could use UDP to encapsulate TCP.
So you must fix whatever prevents the connection between server 1 and server 2 from working. That problem is in the router (which you have told us nothing about), and possibly in the network between segment B and segment C (which you also have told us nothing about).